Generic signatures are often used to classify files based at least in part on the files' features. For example, a security software product may apply a generic signature to a file encountered by an end user's computing device. In this example, the security software product may compare various features of the file (such as the file's name, path, size, storage location, source, extension, format, and/or creation date) with the generic signature. By comparing such features with the generic signature, the security software product may be able to fairly accurately classify the file as either clean or malicious.
Unfortunately, traditional generic signatures may still lead to false positives and/or false negatives in certain scenarios. For example, a security software vendor may manually generate a traditional generic signature from a broad set of training data that includes known clean and/or malicious files. As a result, this traditional generic signature may be somewhat predictive in nature, potentially leading to inaccurate results. In one example, the security software vendor may release this traditional generic signature to a security software product running on an end user's computing device. In this example, the security software product may misdiagnose certain clean files encountered by the end user's computing device as polymorphic malware by applying the traditional generic signature.
The instant disclosure, therefore, identifies and addresses a need for systems and methods for automated generation of generic signatures used to detect polymorphic malware.